All three are thought to exist in all previous 1.2.0 test releases,
(1.2.0pre[1-10], 1.2.0rc[1-2]). All three now have been fixed, and patches
have been committed to the ProFTPD CVS repository. A new release, 1.2.0rc3,
containing these fixes has been made available as of 5 February and is
available from:

ProFTPD may leak memory when commands are executed. However, this leak will
take place *only* if ProFTPD's scoreboard file is not writable. If ProFTPD
is installed properly and is allowed to write to the scoreboard file, no
leak will take place. The scoreboard file is created in
/usr/local/var/proftpd/ in a standard installation from source. If you did
not install ProFTPD from sources, please contact your vendor for the
intended location of your scoreboard file.

Two minor format string vulnerabilities were found in ProFTPD. Due to the
nature of the data processed by the affected sections of code, these
vulnerabilities are very difficult, if not impossible, to exploit.

A full audit was done on the callers of any functions that accept
printf-like format arguments. One minor, unexploitable issue was found in a
third-party module (mod_ratio) and has been fixed. No other format string
vulnerabilites were found.